Allow anonymous/public requests to use the Group level Nuget API

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Context

With !48356 (merged), we added a group level NuGet Repository .

This API was added without any support for public or anonymous requests on public groups.

For example, if you have a public group with a public project with a nuget package, you still need to provide the credentials to nuget to access the package.

Proposal

The group level API can be updated to:

• check if the target group has 0 private packages (or only public packages)
  • If that's the case, anonymous requests should be allowed.
  • The above condition is challenging in SQL. Put a particular care to have a speedy query.

⚠️ The documentation should clearly state that anonymous requests for the group level API work only when there are only public packages.

In other words, the moment a private nuget package is uploaded, all the anonymous requests will be rejected and credentials will be mandatory.

Customer quotes

On gitlab.com we have this exact use case. We have a number of public packages and would love for the ability to retrieve them without credentials.

Right now we have to manage each nuget package with its own unique 'Source' value pointing to the projects nuget API endpoint to access it anonymously.

Having a single group endpoint endpoint without credentials would make managing this so much easier.